After years of vigorous development, the National Institute for Standards and Technology (NIST) published four official Post-Quantum Cryptography (PQC) algorithms in August 2024. These algorithms are rapidly transforming the cybersecurity industry as organizations must address the unprecedented prospective threat posed by cryptographically relevant quantum computers. ABI Research has previously covered how the Hardware Security Module (HSM) market is leveraging PQC algorithms, but another important market worth examining is Public Key Infrastructure (PKI).
Combining legacy algorithms with PQC algorithms offers much-needed safeguards in highly regulated industries such as banking and healthcare. This post will unveil how PQC-PKI integration is generating new opportunities and carving the future of PKI in a post-quantum world.
New Opportunities Arise
Integrating PQC within PKI systems and HSMs requires cybersecurity vendors and enterprise end users to consider new ways of thinking about said solutions. As the PQC market matures, ABI Research identifies the following trends rapidly altering PKI product development, unlocking new revenue opportunities.
Changing Payment Methods: More certificates and keys, along with faster replacement times, give vendors a chance to generate more sales. This is especially true if a vendor charges per certificate or offers pay-as-you-go plans. But to attract more customers and retain them, PKI vendors should offer discounts for larger volumes. How these payment models work still changes depending on the situation, and there's no clear pattern yet for quantum-safe technology.
Artificial Intelligence (AI)-Enhanced Automation: AI is transforming nearly every industry, with cybersecurity being no exception. For PKI systems in the post-quantum era, AI integration can be used to automate certification status tracking and system notifications (e.g., expiration alerts).
Hybridized Approaches: Most companies will not want to initially jump straight to fully PQC-based security solutions. Offering hybridized PKI systems where traditional and PQC algorithms coexist will be conducive to a smooth transition. A NIST report from November 2024 emphasized the importance of ensuring backward compatibility and interoperability throughout the PQC transition. Hybridized solutions are currently limited to niche use cases, and questions remain about which type of hybridized certificates should be used going forward.
Growing Focus on Discovery-Based Tools: A vital aspect of PQC support in PKI systems is the development of discovery-oriented tools. These tools, which are still in the genesis of development, help create crypto inventories and foster innovation. Expanding Research and Development (R&D) efforts should be a top priority in the industry, with an emphasis on integrating certificate/key discovery at the device provisioning stage.
PQC-PKI Use Cases
While PQC integration within PKI is still nascent, there are early case studies to learn from. In the financial services industry, Banque de France and the Monetary Authority of Singapore are addressing the quantum threat by using PQC algorithms to secure electronic communications. The two banks leverage CryptoNext’s email plug-in to encrypt communications via PKI. The plug-in uses the NIST-selected Dilithium and Kyber algorithms to secure Microsoft Outlook messages. Hybridization is a core pillar of the companies’ quantum-safe security posture, as it uses both standard Rivest-Shamir-Adleman (RSA) and post-quantum signatures. This hybrid approach ensures continued support for legacy systems and protection in the event one algorithm is compromised. The successful trial from Banque de France and the Monetary Authority of Singapore demonstrates the ability of quantum-safe technologies to secure communications across borders, which is essential in an increasingly connected world.
Like banking, the healthcare industry is tasked with handling sensitive data that can be stolen by threat actors. One potential PQC use case that ABI Research has identified is safeguarding Internet of Medical Things (IoMT) devices such as insulin pumps. These devices hold sensitive health data that can be exposed over cloud networks, creating a risk of data theft or device tampering. This could pose a credible threat of physical harm to diabetic users. PQC-PKI integration ensures medical devices are ready to address quantum computing threats. Given the memory and processing power constraints of IoMT devices, vendors should consider using lightweight cryptographic algorithms in conjunction with PQC. Examples include combining low-power consumption protocols like Elliptic Curve Cryptography (ECC) with PQC, and testing cryptographic solutions with Kubernetes applications due to their limited usage of Central Processing Units (CPUs).
PQC is destined to be a staple in the future of cybersecurity. However, it is ABI Research’s understanding that its integration into PKI systems is very much in the early stages. Just 2% of PKI solutions will support PQC algorithms in 2025, with that number tripling to 6% by 2030. The year 2025 will certainly be a pivotal one for PQC-PKI solutions, but interoperability challenges and incompatibility issues with legacy systems remain an inhibitor. Vendors such as Entrust, SEALSQ, Keyfactor, Crypto4A, and Securosys are market leaders in this space, offering platforms for infusing PQC-based safeguards into PKI, HSMs, and Trusted Platform Modules (TPMs). ABI Research will continue to be at the forefront of this fledgling market, keeping you up-to-date with the latest technological developments and vendor activities as PQC-enhanced security tools gain wider prominence.
For a closer evaluation of PKI-PQC integration and how vendors are answering the call to quantum-safe technologies, download our presentation, PKI and Post-Quantum Business Models.
